In case you use OpenPGP on a smartphone ...
Michał Górny
mgorny at gentoo.org
Mon Aug 10 17:19:56 CEST 2020
On Mon, 2020-08-10 at 17:14 +0200, Stefan Claas wrote:
> ಚಿರಾಗ್ ನಟರಾಜ್ via Gnupg-users wrote:
>
> > 10/08/20 09:07 ನಲ್ಲಿ, Stefan Claas <sac at 300baud.de> ಬರೆದರು:
> > > Matthias Apitz wrote:
> > >
> > > > El día domingo, agosto 09, 2020 a las 10:06:13p. m. +0200, Stefan Claas escribió:
> > > >
> > > > > > This article showed up today, when I did a Google search again:
> > > > > >
> > > > > > <https://tech.firstlook.media/how-to-defend-against-pegasus-nso-group-s-sophisticated-spyware>
> > > > > >
> > > > > > Trustworthy source.
> > > > >
> > > > > Mmmhhh, it is getting 'better and better' for smartphone users.
> > > > >
> > > > > https://www.androidauthority.com/government-tracking-apps-1145989/
> > > > >
> > > >
> > > > One can use a Linux mobile phone running UBports.com (as I and all my family do)
> > > > or the upcoming Puri.sm L5 (as I pre-ordered in October 2017).
> > >
> > > Yes, people gave me already (not from here of course) good advise for other OSs
> > > which one can use. The question is how long will those OSs been unaffected ...
> > >
> > > > Stop whining, stand up and fight and protect yourself.
> > >
> > > I am not whining ... I only wanted to let the people know. Also very
> > > interesting that only one person in this thread replied, besides you ...
> >
> > I was wary of storing my private GPG keys on my phone (if only because of theft/loss/etc), so I set up my keys on a Yubikey
> > and use that to decrypt stuff on my phone. From what I understand, even if they were to obtain secrets decrypted by the
> > Yubikey or exfiltrate private files, they would not be able to actually decrypt them given that the key resides on the
> > Yubikey (if the private key were on the phone itself, they'd "just" have to crack the passphrase or whatever, which would
> > presumably be much easier...).
> >
> > Just another way to mitigate the risk of stuff like this.
>
> Well, I do have YubiKeys and a Nitrokey too, but I would say while they can't obtain your private key they will for sure
> know the passphrase (PIN) used and the content you encrypted/decrypted on your smartphone.
>
> I came up yesterday with the idea to use an additional offline laptop[1] connected to my smartphone via a USB OTG cable
> and an FTDI USB to USB cable, costs for both less then 20 USD. When both devices are connected one uses on the laptop
> CoolTerm (cross-platform) and on the Android device serial usb terminal, available on the PlayStore.
>
> As of my understanding (please someone proofs me wrong) an attacker would have a hard time to know the encrypted content
> created on the offline laptop.
>
Why use PGP on your phone if you carry a whole laptop with you anyway?
--
Best regards,
Michał Górny
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 618 bytes
Desc: This is a digitally signed message part
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20200810/9a5f3361/attachment.sig>
More information about the Gnupg-users
mailing list